fix undeletable SAS pictures

2025-07-10 03:49:24 +00:00 · 2024-09-09 21:37:28 +02:00
parent 66189d3ab2
commit 55ad1f99fd
5 changed files with 82 additions and 61 deletions
--- a/core/models.py
+++ b/core/models.py
@ -944,40 +944,15 @@ class SithFile(models.Model):
                    param="1",
                ).save()

-    def can_be_managed_by(self, user: User) -> bool:
-        """Tell if the user can manage the file (edit, delete, etc.) or not.
-        Apply the following rules:
-            - If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone -> return True
-            - If the file is in the SAS, only the SAS admins (or roots) can manage it -> return True if the user is in the SAS admin group or is a root
-            - If the file is in the profiles directory, only the roots can manage it -> return True if the user is a root.
-
-        Returns:
-            True if the file is managed by the SAS or within the profiles directory, False otherwise
-        """
-        # If the file is not in the SAS nor in the profiles directory, it can be "managed" by anyone
-        profiles_dir = SithFile.objects.filter(name="profiles").first()
-        if not self.is_in_sas and not profiles_dir in self.get_parent_list():
-            return True
-
-        # If the file is in the SAS, only the SAS admins (or roots) can manage it
-        if self.is_in_sas and (
-            user.is_in_group(settings.SITH_GROUP_SAS_ADMIN_ID) or user.is_root
-        ):
-            return True
-
-        # If the file is in the profiles directory, only the roots can manage it
-        if profiles_dir in self.get_parent_list() and (
-            user.is_root or user.is_board_member
-        ):
-            return True
-
-        return False
-
    def is_owned_by(self, user):
        if user.is_anonymous:
            return False
-        if hasattr(self, "profile_of") and user.is_board_member:
+        if user.is_root:
            return True
+        if hasattr(self, "profile_of"):
+            # if the `profile_of` attribute is set, this file is a profile picture
+            # and profile pictures may only be edited by board members
+            return user.is_board_member
        if user.is_com_admin:
            return True
        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
@ -993,7 +968,7 @@ class SithFile(models.Model):
            return user.can_view(self.scrub_of)
        return False

-    def delete(self):
+    def delete(self, *args, **kwargs):
        for c in self.children.all():
            c.delete()
        self.file.delete()
--- a/core/views/files.py
+++ b/core/views/files.py
@ -190,13 +190,6 @@ class FileEditView(CanEditMixin, UpdateView):
    template_name = "core/file_edit.jinja"
    context_object_name = "file"

-    def get(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if not self.object.can_be_managed_by(request.user):
-            raise PermissionDenied
-
-        return super().get(request, *args, **kwargs)
-
    def get_form_class(self):
        fields = ["name", "is_moderated"]
        if self.object.is_file:
@ -242,13 +235,6 @@ class FileEditPropView(CanEditPropMixin, UpdateView):
    context_object_name = "file"
    form_class = FileEditPropForm

-    def get(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if not self.object.can_be_managed_by(request.user):
-            raise PermissionDenied
-
-        return super().get(request, *args, **kwargs)
-
    def get_form(self, form_class=None):
        form = super().get_form(form_class)
        form.fields["parent"].queryset = SithFile.objects.filter(is_folder=True)
@ -322,9 +308,6 @@ class FileView(CanViewMixin, DetailView, FormMixin):

    def get(self, request, *args, **kwargs):
        self.form = self.get_form()
-        if not self.object.can_be_managed_by(request.user):
-            raise PermissionDenied
-
        if "clipboard" not in request.session.keys():
            request.session["clipboard"] = []
        return super().get(request, *args, **kwargs)
@ -372,13 +355,6 @@ class FileDeleteView(CanEditPropMixin, DeleteView):
    template_name = "core/file_delete_confirm.jinja"
    context_object_name = "file"

-    def get(self, request, *args, **kwargs):
-        self.object = self.get_object()
-        if not self.object.can_be_managed_by(request.user):
-            raise PermissionDenied
-
-        return super().get(request, *args, **kwargs)
-
    def get_success_url(self):
        self.object.file.delete()  # Doing it here or overloading delete() is the same, so let's do it here
        if "next" in self.request.GET.keys():
@ -416,6 +392,7 @@ class FileModerateView(CanEditPropMixin, SingleObjectMixin):
    model = SithFile
    pk_url_kwarg = "file_id"

+    # FIXME : wrong http method. This should be a POST or a DELETE request
    def get(self, request, *args, **kwargs):
        self.object = self.get_object()
        self.object.is_moderated = True
--- a/core/views/user.py
+++ b/core/views/user.py
@ -561,6 +561,8 @@ class UserListView(ListView, CanEditPropMixin):
    template_name = "core/user_list.jinja"


+# FIXME: the edit_once fields aren't displayed to the user (as expected).
+#  However, if the user re-add them manually in the form, they are saved.
 class UserUpdateProfileView(UserTabsMixin, CanEditMixin, UpdateView):
    """Edit a user's profile."""